On April 22, The Sedona Conference (TSC) and its Working Group 6 (WG6) on International Electronic Information Management, Discovery, and Disclosure announced the publication of TSC’s Commentary and Principles on Jurisdictional Conflicts over Transfers of Personal Data Across Borders.
The goal of this Commentary is to: (1) provide a practical guide to corporations and others who must make day-to-day operational decisions regarding the transfer of data across borders; (2) provide a framework for the analysis of questions regarding the laws applicable to cross-border transfers of personal data; and (3) encourage governments to harmonize their domestic laws to facilitate global commerce.
The 90-page(!) PDF Commentary includes an Introduction, discussion of the six Choice of Law principles themselves, and an Appendix with a discussion of the background and complexity of data privacy issues. The six Choice of Law principles are as follows:
Principle 1: A nation has nonexclusive jurisdiction over, and may apply its privacy and data protection laws to, natural persons and organizations in or doing business in its territory, regardless of whether the processing of the relevant personal data takes place within its territory.
Principle 2: A nation usually has nonexclusive jurisdiction over, and may apply its privacy and data protec-tion laws to, the processing of personal data inextricably linked to its territory.
Principle 3: In commercial transactions in which the contracting parties have comparable bargaining power, the informed choice of the parties to a contract should determine the jurisdiction or applicable law with respect to the processing of personal data in connection with the respective commercial transaction, and such choice should be respected so long as it bears a reasonable nexus to the parties and the transaction.
Principle 4: Outside of commercial transactions, in which the natural person freely makes a choice, a person’s choice of jurisdiction or law should not deprive him or her of protections that would otherwise be applicable to his or her data.
Principle 5: Data in transit (“Data in Transit”) from one sovereign nation to another should be subject to the jurisdiction and the laws of the sovereign nation from which the data originated, such that, absent extraordinary circumstances, the data should be treated as if it were still located in its place of origin.
Principle 6: Where personal data located within, or otherwise subject to, the jurisdiction or the laws of a sovereign nation is material to a litigation, investigation, or other legal proceeding within another sovereign nation, such data shall be provided when it is subject to appropriate safeguards that regulate the use, dissemination, and disposition of the data.
This is the final version after the Public Comment Version was issued last June. It’s available for download here. There’s also a 90 minute webinar regarding the commentary from last July that is available here.
So, what do you think? Will these principles help organizations effectively manage cross-border data transfers? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.